News & Insights

Why your business should consider a security risk assessment

by
Alex Morkos

Many businesses consider themselves protected against cybersecurity risks because they’ve implemented security ‘tools’ or ‘products’. While that’s an essential component of cybersecurity, it’s nowhere near enough to protect organisations from cyberthreats if you can’t say how they are part of the business objectives.

You can only consider your organisation to be protected if you know what it is you are protecting, and what you have implemented is focused on protecting just that.

A successful security strategy will have a mix of security tools, processes, and policies followed and supported by employees. Just having the right tools won’t cut it, and just having a strong security policy won’t protect you: it’s having the right mix of security measures that makes the difference.

But how do you know what the right mix is?

That’s where a security risk assessment comes in.

To adequately protect your business, you need to understand all the potential entry points for cyberattackers and create a holistic strategy that leaves no door open. But there are so many areas to consider that it’s easy to overlook some.

The trick is to find the balance between security and usability.

There are five key questions you should ask to determine your security strategy:

What do we need to protect?

If you have an online presence you will have some assets that are critical and material to your operations and that can be affected by cyberthreats. For example, if you run an online store, or sell financial products online, you will need to protect customer data as well as any IP in the online application that gives you a competitive advantage. Understanding what data and assets your organisation has and how they relate to the business’s ability to operate safely and in good standing is key to knowing what to protect.

What is our risk appetite?

You need to understand what outages your business is prepared to accept, what level of negative media attention you can withstand before it affects the business, and whether there is confidential or private data on the network and, if so, how valuable it is to the business.

What are the real threats this attack surface presents?

Even something as seemingly-innocuous as a printer can leave an organisation wide open to significant threats. Compromising the printer network lets attackers control and monitor the corporate network. They can see all documents printed, explore and identify other weaknesses in the network, create an internal denial of service attack and make it difficult to troubleshoot. This type of incursion typically survives standard malware clean-outs. Understanding the reality of the threats you may face will help you determine your risk profile.

What are the potential consequences of an attack via this entry point?

The consequences of an attack will vary depending on the business but can include disruption to normal operations, confidential data leakage and privacy infringements. In turn this can lead to fines under the Privacy Act and reputation damage, particularly if the attacker uses your network to attack others. In some cases, you may decide that a particular vulnerability isn’t worth strengthening because an attack is unlikely to cause much damage.

How likely is an attack?

The likelihood of an attack depends on how open the network is to the public and the level of interest in the business itself. Some businesses are less likely to be attacked than others, depending on factors such as the industry they operate in or the businesses they partner with.

It’s important to conduct a security risk assessment, preferably in partnership with a cybersecurity expert. The next step is to consider what controls should be implemented to protect the business. It’s important to maintain variety in the right combinations. You should use preventative and detective controls together and make sure you have a response plan that is approved, understood and tested.

Without conducting a security risk assessment, you may invest too much in security, wasting budget that could be better spent elsewhere. Or, more commonly, you may under-invest in security measures, which could leave your organisation vulnerable to attack. The key is to get the right balance and put your resources where they’ll deliver the best value. A security risk assessment is the ideal way to get the information you need to make smart decisions to protect your business.